Recent OFAC Settlement targets Cryptocurrency Transactions
OFAC recently published a series of settlements related to US sanctions violations, involving a commercial bank, a trade finance bank and a crypto firm.
In the case of the crypto firm, the company is based in California and offers, among other services, crypto exchange and non-custoodial wallet management.
The case in a nutshell: From March 2015 to December 2019 the crypto firm processed 183 cryptocurrency transactions worth approx. USD 9 million. The clients involved were located in sanctioned countries such as Cuba, Iran, Sudan and Syria, but also in Crimea. The firm tracked IP addresses at account logins by clients, however the usage of these data was limited to security measures but not included in sanctions controls. According to the settlement notice, the firm did not verify the indicated client locations (as provided by them at onboarding) against the collected login IP addresses. It so happened that the company did not identify possible actual client locations in sanctioned countries.
OFAC states that the firm has since taken appropriate measures to enhance their sanctions compliance program.
The settlement amount of USD 98,830 may seem low, however the impact of this case should not be underestimated, since the indications provided in the settlement notice clearly outline OFAC’s expectations towards crypto firms, exchanges and wallet providers on what their sanctions compliance programs must include.
Lessons learned from this case for crypto wallet services and exchanges are in particular:
- Match IP address data against lists of sanctioned countries, in addition to existing screening activities (e.g. sanctioned crypto address checks).
- Thoroughly verify client information provided at onboarding and compare it on an ongoing basis with data gathered about the clients through e.g. logins.
- Verify what further data gathered in business processes can be leveraged for sanctions controls.
- Consider an IP address block process and e-mail related restrictions.
- Perform periodic batch screening (of e.g. all crypto addresses of clients, and those that appeared in transactions).
- Assure that end-user agreements provide sufficient awareness of clients regarding sanctions regulations, and measures in case of non-compliance.
In sum, this settlement case appears of major importance for all compliance officers active in the cryptocurrency space, and should be taken into account when setting up or reviewing any compliance framework.